Analysis
-
max time kernel
66s -
max time network
126s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
28-05-2021 17:48
General
-
Target
sample.exe
-
Size
1.3MB
-
MD5
0e64acab6fb3d50aaebc17e6dfb2d289
-
SHA1
c5c672a4a8ebae04cf7471c56136dce58ccd88f0
-
SHA256
cd19340138f9eab48d20b3bf0a9dc6b4a6908d14cd48511ccefd6dba9e84705f
-
SHA512
e797d31d7355d1f222a444fa934599582ffd9593185668382b9ad05ade1086d152f342305fb1b734a4cc0f691b2b4ba70fd8f183f77aa3f6f775a470fb4e7013
Score
10/10
Malware Config
Extracted
Path
C:\Users\Admin\Desktop\Decrypt-me.txt
Ransom Note
All Your Files Has Been Encrypted
You Have to Pay to Get Your Files Back
1-Go to C:\ProgramData\ folder and send us prvkey*.txt.key file , * might be a number (like this : prvkey3.txt.key)
2-You can send some file little than 1mb for Decryption test to trust us But the test File should not contain valuable data
3-Payment should be with Bitcoin
4-Changing Windows without saving prvkey.txt.key file will cause permanete Data loss
Our Email:poker021@mailfence.com
in Case of no Answer:poker021@tutanota.com
Emails
Email:poker021@mailfence.com
Answer:poker021@tutanota.com
Signatures
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Drops file in Drivers directory 9 IoCs
-
Modifies Windows Firewall 1 TTPs
-
Drops startup file 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 64 IoCs
-
Drops file in System32 directory 64 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 64 IoCs
-
NTFS ADS 3 IoCs
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 9 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\sample.exe"C:\Users\Admin\AppData\Local\Temp\sample.exe"1⤵
- Drops file in Drivers directory
- Drops startup file
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c net stop MSDTC2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet stop MSDTC3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSDTC4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c bcdedit /set {default} recoveryenabled no2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c wbadmin delete catalog -quiet2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c net stop SQLSERVERAGENT2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet stop SQLSERVERAGENT3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLSERVERAGENT4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c net stop MSSQLSERVER2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet stop MSSQLSERVER3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQLSERVER4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c net stop vds2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet stop vds3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop vds4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall set currentprofile state off2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall set currentprofile state off3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh firewall set opmode mode=disable2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode mode=disable3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c net stop SQLWriter2⤵
-
C:\Windows\SysWOW64\net.exenet stop SQLWriter3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLWriter4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c net stop SQLBrowser2⤵
-
C:\Windows\SysWOW64\net.exenet stop SQLBrowser3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLBrowser4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c net stop MSSQLSERVER2⤵
-
C:\Windows\SysWOW64\net.exenet stop MSSQLSERVER3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQLSERVER4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c net stop MSSQL$CONTOSO12⤵
-
C:\Windows\SysWOW64\net.exenet stop MSSQL$CONTOSO13⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQL$CONTOSO14⤵
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Decrypt-me.txt1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Desktop\Decrypt-me.txtMD5
7fc41c92d20d4659f22ee252a93af9ed
SHA119b26f6043de9fbf1717eb93f4fd2a55a395eb57
SHA2561b148dcb657c925a5360fa3e20d8ed0d80fe0b2cc67cb69255aa82d017f2daee
SHA512a33be73cc3ffc7807a7ddde098c4879f97d669f2396a77f7954d2418c9c13547a1f5bdd1d2a3682c8e3c44dac67dadce552a1e8d9f0b3ecbcf7e4e813b8edf65
-
memory/328-73-0x0000000000000000-mapping.dmp
-
memory/520-81-0x0000000000000000-mapping.dmp
-
memory/616-80-0x0000000000000000-mapping.dmp
-
memory/844-77-0x0000000000000000-mapping.dmp
-
memory/968-78-0x0000000000000000-mapping.dmp
-
memory/1108-83-0x0000000000000000-mapping.dmp
-
memory/1208-92-0x000007FEFB881000-0x000007FEFB883000-memory.dmpFilesize
8KB
-
memory/1208-59-0x0000000000000000-mapping.dmp
-
memory/1236-86-0x0000000000000000-mapping.dmp
-
memory/1236-61-0x0000000000000000-mapping.dmp
-
memory/1280-60-0x0000000000000000-mapping.dmp
-
memory/1372-82-0x0000000000000000-mapping.dmp
-
memory/1456-88-0x0000000000000000-mapping.dmp
-
memory/1464-68-0x0000000000000000-mapping.dmp
-
memory/1484-69-0x0000000000000000-mapping.dmp
-
memory/1588-71-0x0000000000000000-mapping.dmp
-
memory/1628-91-0x0000000000000000-mapping.dmp
-
memory/1628-67-0x0000000000000000-mapping.dmp
-
memory/1660-72-0x0000000000000000-mapping.dmp
-
memory/1696-90-0x0000000000000000-mapping.dmp
-
memory/1700-66-0x0000000000000000-mapping.dmp
-
memory/1716-70-0x0000000000000000-mapping.dmp
-
memory/1728-64-0x0000000000000000-mapping.dmp
-
memory/1740-85-0x0000000000000000-mapping.dmp
-
memory/1768-65-0x0000000000000000-mapping.dmp
-
memory/1796-75-0x0000000000000000-mapping.dmp
-
memory/1796-76-0x0000000075631000-0x0000000075633000-memory.dmpFilesize
8KB
-
memory/1800-84-0x0000000000000000-mapping.dmp
-
memory/1812-74-0x0000000000000000-mapping.dmp
-
memory/1952-89-0x0000000000000000-mapping.dmp
-
memory/1952-63-0x0000000000000000-mapping.dmp
-
memory/1956-87-0x0000000000000000-mapping.dmp
-
memory/1972-62-0x0000000000000000-mapping.dmp